POSTER: A Proactive Cloud-Based Cross-Reference Forensic Framework

Traditional computer forensic tools suffer from several drawbacks: 1) information recorded by the operating system and application may not be enough for performing exact forensics, because such information is not tailored for forensic purpose; 2) evidence extraction is based on single computer; 3) evidence is vulnerable to be tampered; 4) volatile yet important evidence may not be recorded for forensic analysis. To overcome these limitations, this paper proposes a cloud-based proactive forensics framework to record state information across a set of computers (such as the cluster of computers that consist a cloud) for cross forensic analysis. Our forensic framework is built on Microsoft Azure and can be scaled easily to accommodate the increase or decrease of forensic targets. The information recorded by our proposed forensics framework may be volatile and the recording frequency can be customized. When a digital crime occurs, there is no need to speculate what happened, instead we can analyze and cross reference the recorded information to reconstruct the events occurred. We have conducted an experiment to assess the feasibility of our framework and found the result to be satisfactory.